hpke: fix hpke key fetcher when using self-signed certificates

authorize/state.go

@@ -10,6 +10,7 @@ import (
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/hpke"
@@ -88,11 +89,7 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho
 	jwksURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.well-known/pomerium/jwks.json",
 	}).String()
-	transport, err := config.GetTLSClientTransport(cfg)
+	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, httputil.GetInsecureTransport())
-	if err != nil {
-		return nil, fmt.Errorf("authorize: get tls client config: %w", err)
-	}
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
 
 	return state, nil
 }

internal/httputil/transport.go

@@ -0,0 +1,19 @@
+package httputil
+
+import (
+	"crypto/tls"
+	"net/http"
+)
+
+// GetInsecureTransport returns an HTTP transport which skips TLS verification.
+func GetInsecureTransport() *http.Transport {
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.Dial = nil
+	transport.DialContext = nil
+	transport.DialTLS = nil
+	transport.DialTLSContext = nil
+	transport.TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: true,
+	}
+	return transport
+}

proxy/state.go

@@ -3,12 +3,12 @@ package proxy
 import (
 	"context"
 	"crypto/cipher"
-	"fmt"
 	"net/url"
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
@@ -66,11 +66,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	jwksURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.well-known/pomerium/jwks.json",
 	}).String()
-	transport, err := config.GetTLSClientTransport(cfg)
+	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, httputil.GetInsecureTransport())
-	if err != nil {
-		return nil, fmt.Errorf("authorize: get tls client config: %w", err)
-	}
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
 
 	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
 	if err != nil {